Skip to main content

Dynamic Content- Extensions permissions

Release date: 2nd November 2020

In this release we’ve added some enhancements to the extensions registration window to provide you with more control over the features that an extension is allowed to access.

Extensions are simple web applications that are used to render a property within the content editing form, replacing the standard rendering for a particular type of control. Extensions can be registered on a hub so that they can be used in multiple content type schemas. On this page we'll provide you with quick overview of the enhancements made to the extensions registration page.

Setting extension permissions
Link copied!

A "permissions" section has been added to the extensions registration window (1 in the image below). From this section you can specify two sets of permissions: API permissions and Sandbox permissions.

A permissions section has been added to the extensions registration window. From here you can choose to allow access to the Dynamic Content Management API and configure the sandbox permissions for an extension

All permissions will initially be set to off by default and are configured per extension and for the current user. The user controls which permissions are set for an extension, the extension cannot modify which permissions it is granted.

The API permissions allow you to grant this extension permission to access the Dynamic Content Management API. You can choose to enable "Read access" ("GET" methods) and "Modify access" (all other methods). If you leave these permissions set to off, then the extension will be denied access to the API. Even if the extension is granted access to the API, the user must also have the appropriate API permissions.

Extensions are loaded into an iFrame which has the sandbox attribute set. This attribute enforces restrictions on the iFrame content. You can choose to remove some sandbox restrictions from the sandbox permissions section. These are standard sandbox attributes supported by Chrome, Safari and Firefox.

If the "Allow same origin" permission is not enabled, then any requests sent by the extension will be treated as being from a special origin and will fail the same origin policy. The other permissions in the sandbox section include allowing the extension to show modal windows, submit forms and display pop up windows. You can find more information on the registering extensions page.

Note that existing extensions will have all permissions set to off, so if you need any sandbox permissions, then you'll need to set these from the registration screen.

Including the extension URL in your content type schema

Permissions are only available to registered extensions. If you are including the extension URL in your schema instead of registering it, then your extension will not be granted any permissions.

When you make changes to the permissions configured for an extension, click the "Save" button to submit the changes. You'll be asked to confirm that you want to make the changes.

When you make changes to the permissions set for an extension you will be asked to confirm you changes

Extensions overview

Registering extensions

Dynamic Content Extensions SDK

The iFrame sandbox attribute